Verno wrote on May 28, 2012, 12:17:I long ago accepted that anything I gave to a company would be sold to marketing firms. Now I simply provide them with misinformation whenever possible and use trackable numbers/addresses so that I can determine who I can satisfy my curiosity of who is selling what. Google Voice and Gmail are handy for this.

Unfortunately Blizzard accounts have been getting hacked left, right and centre and when you sign up for the authenticator it recommends using the SMS security to avoid getting locked out of your account. I signed up and started getting spam. So I do nothing and I risk my account being hacked; I sign up for protection and get subjected to spam. Thanks Blizzard.

It's pathetic that the whole of western society is geared up for screwing people over in the name of money. Is it really so difficult to provide a service that doesn't screw people over in the process?

I long ago accepted that anything I gave to a company would be sold to marketing firms. Now I simply provide them with misinformation whenever possible and use trackable numbers/addresses so that I can satisfy my curiosity of who is selling what. Google Voice and Gmail are handy for this.

I signed up for the authenticator and the SMS service. Next day I started getting SMS spam. I don't enter my mobile number into websites and I've never had a single spam text before. Other people on the forums are posting exactly the same thing.

OK, but I'm still confused even with this post(s)... If I understand what it is saying correctly, they HAVE had customers accounts compromised that use an authenticator (OK I got that). But the post from the Blizzard dude said that the MSInfo files showed that they're system was littered with virus, malware and (possibly) file share programs... If that is the case, the authenticator WON'T protect you... so what is the point?

Am I to assume that you guys are saying that it is Blizzards responsibility to ensure customer accounts are not able to be compromised regardless of how careless the user is?

The "hacking" ("compromising" is probably a better word, since no real "hacking" is going on) being seen in D3 is no different than what World of Warcraft players have been seeing for five years or so. The sad thing is, if no one bought game currency (gold, credits, whatever) from these third-party companies, then essentially no account compromises would be occurring. Compromises not done by gold selling companies are very rare indeed. They strip one player to sell to another, because it's much more efficient than "farming" gold. They still farm some of course, but they do it purely with compromised accounts.

Unfortunately, these compromisers make a lot of money off of the practice (because players buy gold) and so they have a lot of resources to use to try to get your password from you directly, or through your computer. Some of their poorly translated phishing e-mails may be laughable, but their trojans, infected websites, etc. are not funny at all.

If you have the physical or mobile authenticator (both of which major banks use and charge $30+ for) the chances of you being compromised are very, very small. I've personally examined the MSInfo files of nearly all of the handful of WoW players who have actually been compromised through an authenticator, and the sheer number of backdoor programs and other malware on their systems has been mind boggling. Probably not coincidentally, these same people were also running a disturbing number of file-sharing and download programs, including ones which are commonly known to not be safe.

Again, compromising game accounts is a big business in some countries. They have people on their payroll who spread false rumors of "hacked through my authenticator" just to try to discourage people from using them. We charge $6.50 for the physical authenticator, because that's exactly what it costs us to make them. The mobile one is free because we don't have to pay a factory to build them. Use them, and enjoy your gaming without someone mucking with your stuff.

but today I accidently (followed up by tests on my end to ensure I wasn't loosing my mind) logged into D3 with cap locks on. That means it's not case sensitve. If this is the case (no pun intended) it would make brute force attacks much more effective.

**** Nevermind, I guess, based on another poster Blizzard doesn't use case sensitive passwords... that, I don't agree with... but, each his own I guess.

Prez wrote on May 23, 2012, 23:33:Not that it really matters in the long run, but what's to say it isn't just server/database errors that are causing a lot of the item losses and unexplained leveling being reported?

I guess it could some bug taking out the gold and loot but people are saying their passwords are changed too. Has to be hackers/phishers.

LaxerFL wrote on May 23, 2012, 20:45:I had my account hacked last night, about 10 minutes after I used the Auction House for the first time. I run antivirus that updates and scans every day. I run 2 spyware/malware programs that I update and scan with every week. I use Firefox with noscript and adblock. I've never typed my b.net account info on any website or email other then battle.net itself. I do not share the account. There are no children in my house and I am the only one who uses my computer. My password was mixed case, alpha numeric, random characters. No one guessed or brute forced my password. I've never played in a public game. I have no one on my friends list and have never played with anyone in a private game. I have soloed my whole play time.The first time I use Blizzard's Auction House, 10 minutes later I get disconnected from the game with a message that another computer was logging into my account. I tried to log back in and my password had been changed. I did the password recovery bit through b.net, reset my password and when I logged back in, my guy was naked and penny-less.Blizzard restored my account to about 5 or 6 hours prior to the hack. I lost over 5 levels. I went from one boss into act 3 back to before I killed Zullten Khulle in act 2. I lost countless gems, and one of the best runs of rares I've had since the game came out. I had more then doubled my life and damage in that time. I'm so dejected I don't even want to login and play now.I had the smartphone authenticator attached to the account. I had the SMS Alerts enabled. I never got a text telling my the password was being changed and obviously the authenticator did nothing.And to top it all off, Blizzard BANNED me from the forums and deleted all my posts when I called them out on the exploit. Yes, I used some choice words but there is a filter, no one could actually see the "dirty" words I used.I have always supported Blizzard. I LOVE the game Diablo 3. But this has just sucked all the enjoyment out of it for me.And now I've been on hold with blizzard phone support for 1 hour 29 minutes. What I really want to know is WHY when I was already logged in and playing would they boot me to allow a second login attempt access? Why didn't the SMS alerts ALERT me when the password was trying to be changed? How did they login without my Authenticator?I know I'll never get the levels and gems and rares back. Now, I just want ANSWERS! I'll never use the Auction House again because that is obviously how they gained access to my account.I'm just so disappointed in Blizzard right now, I'm actually sad about this whole ordeal

I had my account hacked last night, about 10 minutes after I used the Auction House for the first time. I run antivirus that updates and scans every day. I run 2 spyware/malware programs that I update and scan with every week. I use Firefox with noscript and adblock. I've never typed my b.net account info on any website or email other then battle.net itself. I do not share the account. There are no children in my house and I am the only one who uses my computer. My password was mixed case, alpha numeric, random characters. No one guessed or brute forced my password. I've never played in a public game. I have no one on my friends list and have never played with anyone in a private game. I have soloed my whole play time.The first time I use Blizzard's Auction House, 10 minutes later I get disconnected from the game with a message that another computer was logging into my account. I tried to log back in and my password had been changed. I did the password recovery bit through b.net, reset my password and when I logged back in, my guy was naked and penny-less.Blizzard restored my account to about 5 or 6 hours prior to the hack. I lost over 5 levels. I went from one boss into act 3 back to before I killed Zullten Khulle in act 2. I lost countless gems, and one of the best runs of rares I've had since the game came out. I had more then doubled my life and damage in that time. I'm so dejected I don't even want to login and play now.I had the smartphone authenticator attached to the account. I had the SMS Alerts enabled. I never got a text telling my the password was being changed and obviously the authenticator did nothing.And to top it all off, Blizzard BANNED me from the forums and deleted all my posts when I called them out on the exploit. Yes, I used some choice words but there is a filter, no one could actually see the "dirty" words I used.I have always supported Blizzard. I LOVE the game Diablo 3. But this has just sucked all the enjoyment out of it for me.And now I've been on hold with blizzard phone support for 1 hour 29 minutes. What I really want to know is WHY when I was already logged in and playing would they boot me to allow a second login attempt access? Why didn't the SMS alerts ALERT me when the password was trying to be changed? How did they login without my Authenticator?I know I'll never get the levels and gems and rares back. Now, I just want ANSWERS! I'll never use the Auction House again because that is obviously how they gained access to my account.I'm just so disappointed in Blizzard right now, I'm actually sad about this whole ordeal

It's going to be difficult to piece together now, they took battle.net down for maintenance and changed the authentication schema. The only comparisons people can make is with old traffic dumps and there's still the variable of the individual account holders security. It is remarkably similar to the Rift launch/hacks though.

Oh and they hotfixed several abilities without any notification again (Smokescreen for DH, some Monk abilities/runes, etc) which is getting tiresome.

My coworker (btw, I am a Systems Security Engineer for the govt (CISSP), and have been doing security for decades) started up Wireshark, and then D3.. he was telling me how easy it was to hijack his session..the session ID floating around out there.. and then we got into the 2 step process it took to reverse engineer his authenticator.

Yeah, a friend of mine mentioned their use of unencrypted session IDs on the forums and they won't comment. Battle.net went down for maintenance later on as well which is amusing timing. I'd also note this same problem happened with Rift at launch but at least the devs owned up to it and fixed things quickly. This will likely just be handwaved away under the predictable guise of "ppl r stupid with computars!" which may be true but doesn't really answer every single case of this.

The other thing is that Battle.net accounts are very lucrative to hack. They are worth $25-50 a pop on the "black market", pose no risk of prosecution and are highly in demand. The idea that Blizzard is some unhackable entity just by virtue of being a profitable corporation is laughable. Quite often it's those same institutions which view IT/IS as money black holes and don't invest enough in them.

ColoradoHoudini wrote on May 22, 2012, 20:53:While everything is hackable, what's going on with D3 right now is rather troublesome. --for the record, he stopped playing last night after witnessing what he saw.

Interesting. I'm a bit of a network guy myself and I'd be (and I'm sure others would too) interested in hearing a little more about what he saw that made him stop playing. Are you saying that Blizzard is making some basic mistake that invalidates the security normally achieved by the tokens?